Lead Image by Ricardo Gomez Angel on Unsplash

Vulnerability scans for containers

Screened

Article from ADMIN 43/2018

By Thorsten Scherf

Containers are finding their way into business-critical environments, which is reason enough to think about how to examine the deployed container images for weak points.

Containers are increasingly being used to install a particular application on a system. The basis of such a container is an image that provides an appropriate run-time environment for the application. In most cases, the images are based on a specific Linux distribution and contain not only the run-time environment for the application itself, but also a lot of the dependencies, which means a large number of packages in the image. If any one package is defective, all containers created on the basis of this image are affected. Thus, it is important to check deployed images regularly for vulnerabilities and update them if necessary.

A number of tools can be used for this purpose, but they differ greatly. For example, CoreOS provides a scanner named Clair [1] that can query different data sources to obtain current vulnerability information for each Linux distribution. The tool then performs a scan of the existing containers and images to verify whether locally available data is affected by the vulnerabilities. The Docker Bench for Security [2] tool takes a somewhat different approach; it is actually just a shell script that checks the existing containers based on the recommendations of the Center for Internet Security (CIS) [3] – a kind of best practices guide for the use of containers (Figure 1).

...

Use Express-Checkout link below to read the full article (PDF).